[PULL Jammy] LP: #1967579
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Apr 4 13:48:57 UTC 2022
[Impact]
Branch History Injection is made easier when all indirect calls are funneled
through very few points where the retpolines were. By replacing the retpoline
jumps by indirect calls whenever retpolines are disabled, BHI attacks are more
difficult to execute as the BTB is not as fixed as before.
[Fixes]
The fixes here allow the kernel to rewrite the retpoline calls to indirect
calls when retpolines are off and to preceed those with an lfence when
retpoline,lfence is the mitigation of choice. BPF JITed programs will also
respect the chosen mitigation.
[Test]
It was verified that a retpoline call was replaced with the lfence + indirect
call when spectre_v2=retpoline,lfence was used.
[Potential regressions]
Indirect calls might be broken or vulnerable to speculative execution attacks.
The following changes since commit f4a9abe17854fc753c84a0ba4ac275e715a008f3:
UBUNTU: Ubuntu-5.15.0-25.25 (2022-03-30 17:28:11 +0200)
are available in the Git repository at:
https://git.launchpad.net/~cascardo/ubuntu/+source/linux/+git/jammy unfunnel
for you to fetch changes up to 87e6aa3722bda9e2c8de6cbaa311228d23a00a85:
bpf,x86: Respect X86_FEATURE_RETPOLINE* (2022-03-31 09:41:43 -0300)
----------------------------------------------------------------
Peter Zijlstra (15):
objtool: Classify symbols
objtool: Explicitly avoid self modifying code in .altinstr_replacement
objtool: Shrink struct instruction
objtool,x86: Replace alternatives with .retpoline_sites
x86/retpoline: Remove unused replacement symbols
x86/asm: Fix register order
x86/asm: Fixup odd GEN-for-each-reg.h usage
x86/retpoline: Move the retpoline thunk declarations to nospec-branch.h
x86/retpoline: Create a retpoline thunk array
x86/alternative: Implement .retpoline_sites support
x86/alternative: Handle Jcc __x86_indirect_thunk_\reg
x86/alternative: Try inline spectre_v2=retpoline,amd
x86/alternative: Add debug prints to apply_retpolines()
bpf,x86: Simplify computing label offsets
bpf,x86: Respect X86_FEATURE_RETPOLINE*
arch/um/kernel/um_arch.c | 4 +
arch/x86/include/asm/GEN-for-each-reg.h | 14 ++-
arch/x86/include/asm/alternative.h | 1 +
arch/x86/include/asm/asm-prototypes.h | 18 ---
arch/x86/include/asm/nospec-branch.h | 72 ++---------
arch/x86/kernel/alternative.c | 191 ++++++++++++++++++++++++++++-
arch/x86/kernel/module.c | 9 +-
arch/x86/kernel/vmlinux.lds.S | 14 +++
arch/x86/lib/retpoline.S | 56 ++-------
arch/x86/net/bpf_jit_comp.c | 160 +++++++++---------------
arch/x86/net/bpf_jit_comp32.c | 22 +++-
tools/objtool/arch/x86/decode.c | 120 ------------------
tools/objtool/check.c | 208 ++++++++++++++++++++++----------
tools/objtool/elf.c | 84 -------------
tools/objtool/include/objtool/check.h | 1 -
tools/objtool/include/objtool/elf.h | 8 +-
tools/objtool/special.c | 8 --
17 files changed, 475 insertions(+), 515 deletions(-)
More information about the kernel-team
mailing list